Categories
Tutorials

How To use TOTP with your PayPal account

There is already a fantastic guide on Medium which shows you how you use Paypal together with Time-based One-time (short: TOTP), sadly it’s outdated so I decided to write an updated and tested guide on my own.

PayPal OTP

Categories
AMD Security

AMD’s virtual machine encryption bypassed – NOPE!

AMD’s Epyc server chips utilize Secure Encrypted Virtualization (SEV) to automatically encrypt virtual machines on the fly while stored in memory, but researchers now say that they can get around it with a technique dubbed SEVer: “miscreants at the host level can alter a guest’s physical memory mappings, using standard page tables, so that the SEV mechanism fails to properly isolate and scramble parts of the VM in RAM“.

AMD Epyc
AMD Epyc CPU: Picture Source: AMD Press Conference
Categories
Security Software

DiscordCrypt: Unofficial End-to-End Encryption for Discord has arrived

Riot (Matrix) is my favorite chat program but it suffers from one major issue, it’s slow and the user Interface is – I wouldn’t say horrible – but has ‘room for improvements’. So, overall most users using Discord instead wish is still not a bad client it has HTTPS but the server owner might see and sell your content (such as news links, ideas etc). The E2E idea and the ticket (feature request) in the meantime was already closed and the developers explained in their answer that this will not be implemented.

Discord Logo

Categories
Security Tutorials

How To secure your OpenVPN configuration

There many traps when it comes to the OpenVPN configuration which your VPN provider has to offer, in this short tutorial I will show you what you need to know and which points are really important to look at.

OpenVPN configuration hardening

Categories
Browser

Chromium removed the ability to compile the Browser without WebRTC

There bad news and there’s good news for security fans, first things first – the Chromium source code disabled the ability to compile the Browser without WebRTC. For those who have no clue why WebRTC is a thing, well back in 2015 there was a huge security breach based on the Web Real-Time Communication project which allowed attackers to reveal your real IP even behind a VPN. So people started to asking what can we do and it seems disabling WebRTC is the best solution – in case you’re VPN hasn’t patched his own VPN configuration.

Cent Browser WebRTC
Cent Browser still allows you to disable WebRTC together with some other gimmicks.

Alternative Chromium based Browsers

I often recommend the project woolyss because these guys behind the project compiled a Chromium version (stable/beta) without stuff like WebRTC (and more) but the times are over because Chromium project decided to remove the ability to compile the Browser without the flag. The change made sense in my opinion because WebRTC is not evil it’s just that some bad guys can abuse some weaknesses but no protocol/project is perfect and most VPN providers have already patched their server configuration in order to prevent any IP leakage. Chromium official provided a extension, to control this but some people prefered to entirely disable WebRTC, well that’s imo not optimal solution because WebRTC Video calls are still more secure than compared to other insecure protocols. Most modern chat clients also using WebRTC like Discord, Riot or Signal.

So what can you do?

Well the woolyss project is not dead and I’m sure these guys will work on it but in the meantime you might want to try out Cent Browser. It’s a pretty young project from 2015 and it looks promising since these developers including patches in order to provide builds without WebRTC and other stuff like disabling HTML5 canvas in order to reduce your Browser fingerprint. It seems – from what I saw so far – the CHromium based Browser with the most features.

The developers seem to put a lot of effort into the project in order to provide a ‘unfucked’ Browser. I already wrote a comment on woolyss (which wasn’t published for no reasons) that they might could ask those devs to get the necessary patches to continue to provide their builds without WebRTC.

Final Words

WebRTC is a privacy concern since 2015 for some people, because attackers might can abuse a weakness and WebRTC itself can’t be patches to solve this without breaking existent implementations so it’s up to your Browser to protect you against it, but the implementations are problematically. You can Enable or disable WebRTC in Firefox or Cent Browser but there is no domain based rule exclusion possible, which would be optimal to disallow WebRTC on a global level and allow it only for those pages which are secured.

Categories
Security

Sometimes you can’t take EFF serious

Well, I’m already fighting for years against FUD, especially when it comes to privacy tools and recommendation I often fight against individuals or people who still to believe in application security. However, this time Electronic Frontier Foundation (EFF) failed – so what happened? We had the recent leak called Efail which is a weakness in PGP and S/MIME and EFF wrote in their documentation as precautions to disable security extensions S/MIME – which is a no-go advise, especially because everything is in most cases patchable so in this case.

efail.png
EFail Overview.
Categories
Android

How Advertising Malware smuggles Malware into the Google Play Store

“Always download apps from the official app store.” – that’s what people arguing in order to stay away from malware but is this true? Several malware was already found during the past years within the official Store, Google reacted and hardened their systems, as a result, your device gets regularly scanned in order to find malware apps. Google also increased their own security mechanism, so their contribution rules and app restrictions in order to prevent bad people abusing some permissions are a bit better restricted.

Google Malware
Picture Source: gizbot.com

 

Categories
BitCoin Security

Anonymity in the Cryptocurrency Monero – YES, Monero is still secure!

Researchers have exploited a flaw in the cryptocurrency Monero to break the anonymity of transactions, however, this is just a re-release and seems to be already over 1 year old now. Several pages ‘forgot’ to mention that this is already resolved and the new introduced and updated research paper overall says nothing that is not already well known.

Is Monero untracable
Is Monero really untraceable? Picture Source: Official Monero YouTube channel
Categories
Security

Encryption Tools & Algorithm the NSA & Co. still can’t crack

Lot’s of people often gave agencies too many credits because of Snowden and other whistleblower leaks but GCHQ & Co. don’t have unlimited power over every program, connections or algorithm. In my little guide here I show what NSA still can’t crack based on researches and leaks.

_rn5LmlM